Kerberos Constrained Delegation in libsmbclient

Vikram Bharti vikrambharti33 at
Thu Feb 25 11:58:17 UTC 2021

IMO KCD can take service user, password/keytab-file, UPN of impersonation
user, and SPN of service as inputs  (probably in auth_callback)
or it can take final service ticket (TGS-REP) as input in auth_callback.
Not so sure what should be right the way but I leave it up to you decide if
these 2 are feasible or if there is a better way.

On Thu, Feb 25, 2021 at 12:00 AM Jeremy Allison <jra at> wrote:

> On Wed, Feb 24, 2021 at 05:29:37PM +0530, Vikram Bharti via
> samba-technical wrote:
> >Hi ,
> >
> >I was exploring a way to get KCD work with libsmbclient APIs and i see
> >libsmbclient supports Kerberos auth but can't find any API for
> >impersonation and delegation.
> >Pls let me know if there is a way to get it done.
> No, this is not currently available in the libsmbclient API's.
> Can you give an example of what you'd like this to look like,
> so we can assess how hard it would be to implement ?

More information about the samba-technical mailing list